Universities face unique obstacles in securing data

MINNEAPOLIS — Universities are finding it challenging to secure sensitive information, largely because of the value colleges place on communicating freely.

Unlike retail and other business settings, the difficulties begin with an institution that consists mainly of a demographic that has grown up sharing information via the Internet as their primary means of communicating.

They continue with the fact that it's nearly impossible to protect databases and websites when the information used to teach needs to be easily accessible to students and flow freely both off and on campus. Parents also need to be allowed access to the institutions information to make payments online.

“Students are highly technical but are also a wildly unpredictable population of potential aggressors,” because some students will become hackers, James Burnett, a Chicago-based senior broker at Aon Risk Solutions, said during the University Risk Management and Insurance Association Inc.'s 2015 Northern Stars of Risk conference last month in Minneapolis.

Frequent use of social media by students raises risks when it comes to protecting data, along with the more frequent use of Wi-Fi, mobile devices, shared databases and other ways to connect to the Internet, said Mr. Burnett.

The advancement of technology has enhanced hacking ability and even made hacking affordable, he said. The Wi-Fi Pineapple, for example, is a battery powered, wireless hacking device that is contained in a plastic, life-sized pineapple that can be purchased for about $100. When it is in a hot spot area full of students and their laptops, the Pineapple can see all of the Internet traffic in the area, including emails and instant messages, he explained.

While colleges continue to collect data such as Social Security numbers, medical data, bank account numbers, and birth dates of students as well as their parents, risk managers have begun the process of purging outdated information because of the inherent risk of a data breach of the sensitive information, according to cyber experts.

The risk of a university or any institution being sued for a data breach is increasing, with 47 states enacting legislation requiring notification of data breaches involving personal information. “There are federal and state laws in place that companies failing to safeguard information or notify consumers of intrusions can be sued in court,” said Jason Glasgow, Hartford, Connecticut-based cyber risk product manager at Travelers Cos. Inc., at the conference.

With the average cost of a data breach ranging between $3.7 million, according to Gladwyne, Pennsylvania-based Net Diligence, and $5.5 million, according to Traverse City, Michigan-based Ponemon Institute L.L.C., a small college may not be able to afford to remain in operation after a cyber attack, said Brian Kelly, Hamden, Connecticut-based chief information security officer at Quinnipiac University.

During 2015, cyber attacks have occurred at Harvard University, University of Maine and Penn State College of Engineering, where thousands of college files that had personal data were exposed.

One of the most costly — and common — causes of data breaches is human error, where a laptop or a smartphone is lost or stolen. In February at the University of Maine in Orono, a laptop with student roster information was stolen, and hundreds of Social Security numbers were exposed.

Cyber crime is not only about theft of data or devices; there is also the violation of privacy. “It's not always the case that a computer is involved for the crime to be defined as cyber. ... Cyber is about data privacy and the potential liability if you don't protect data well,” Mr. Glasgow said.

According to a March URMIA survey, a majority of universities are purchasing cyber liability insurance. Of the 109 surveyed, 68% of respondents purchased cyber insurance, with about 70% having done so within the past three years. Those who didn't say they are re-evaluating their decision.

The private institution respondents purchased insurance more often the public institutions did. Most institutions that bought cyber insurance said they have limits of $5 million or less and deductibles of $50,000 or less. Nearly a third of the respondents have filed a cyber claim and reported being satisfied with the insurer's response.

“Cyber events that can trigger a claim can be in first- or third-party coverage,” Mr. Burnett said. “First-party coverage includes network extortion, where the insured is paid for expenses from the investigation and also covers any payments made to prevent or resolve the threat.” Third-party coverage includes security and privacy liability, which pays for defense costs and damages of third parties, due to a computer security breach, including liability caused by theft or wrongful disclosure of confidential information, according to Mr. Burnett.

“Good risk management reduces exposure and helps in defense of a claim but it does not eliminate the risk of a cyber breach,” said Mr. Glasgow. The U.S. Department of Defense, Federal Bureau of Investigation, Apple Inc., Amazon.com Inc., and Google Inc., have all been hacked, and almost half of all data breaches have been caused by a human error, such as a lost devices or a rogue employee, according to Mr. Glasgow.